Hi,
this issue was found by Steeve, he tried to validate a trust manually
from AD and was repeatedly ask for the admin password without any
progress. It turned out that the ipaNTHash was not set through the
MagicRegen mechanism and samba always returned NT_STATUS_WRONG_PASSWORD.

Advertising

This patch should fix it. I attached a patch for 3.0 as well because the
touched file was renamed.
bye,
Sumit

From 8bae65bc0afef181562b238d3a61d4d1dc7b3bde Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Mon, 7 Oct 2013 16:49:33 +0200
Subject: [PATCH] Use the right attribute with ipapwd_entry_checks for
MagicRegen
There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos
key is available for the corresponding user. This is typically triggered
by samba via the ipa_sam passdb plugin. The principal used by samba to
connect to the IPA directory server has the right to modify ipaNTHash
but no other password attribute. This means that the current check on
the userPassword attribute is too strict for this case and leads to a
failure of the whole operation.
With this patch the access right on ipaNTHash are checked if no other
password operations are requested.
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index
8a222650cbd7348f419c8b697fa9b9784a66eb22..64a9d314015b47f0e224410f8f3f2460dbce57bc
100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -554,7 +554,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
rc = ipapwd_entry_checks(pb, e,
&is_root, &is_krb, &is_smb, &is_ipant,
- SLAPI_USERPWD_ATTR, SLAPI_ACL_WRITE);
+ is_pwd_op ? SLAPI_USERPWD_ATTR : "ipaNTHash",
+ SLAPI_ACL_WRITE);
if (rc) {
goto done;
}
--
1.8.1.4

From 2e724b9dcdb9b98ea6d8b232074f2a5d5d34a939 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Mon, 7 Oct 2013 16:49:33 +0200
Subject: [PATCH] Use the right attribute with ipapwd_entry_checks for
MagicRegen
There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos
key is available for the corresponding user. This is typically triggered
by samba via the ipa_sam passdb plugin. The principal used by samba to
connect to the IPA directory server has the right to modify ipaNTHash
but no other password attribute. This means that the current check on
the userPassword attribute is too strict for this case and leads to a
failure of the whole operation.
With this patch the access right on ipaNTHash are checked if no other
password operations are requested.
---
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
index
e4909c94585b6fac6b7f8347b806a8841107f3d0..f5cda73ca5a433a0432538169bfbd8d75182f280
100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -547,7 +547,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
rc = ipapwd_entry_checks(pb, e,
&is_root, &is_krb, &is_smb, &is_ipant,
- SLAPI_USERPWD_ATTR, SLAPI_ACL_WRITE);
+ is_pwd_op ? SLAPI_USERPWD_ATTR : "ipaNTHash",
+ SLAPI_ACL_WRITE);
if (rc) {
goto done;
}
--
1.8.1.4